General Data Protection Regulation – GDPR
Processing of personal data is controlled by the General Data Protection Regulation (EU) from May 25th 2018. This regulation is known as the GDPR. GDPR puts requirements on the controller and requires the ability to demonstrate the compliance with requirements. It is also required to design a personal data processing solution with purpose to the risk reduction, the comprehensive documentation of personal data processing must be compiled, all activities with the processing of personal data must be recorded and more. An important threat when non-compliance with GDPR are the fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the company of the preceding financial year, whichever is higher. The GDPR applies to all entities processing personal data of natural persons in the EU. Typically, these are personal data of employees, customers and suppliers.
To implement GDPR requirements into practice, it is important to perform a comprehensive review of personal data processing, set up new processes, control mechanisms and compile the detailed documentation. A number of requirements may also be automated in information systems. For example the logging of personal data processing, automatic erasure of personal data by a given date, ensuring the right of access by the data subject, the right to be forgotten or the right to data portability may be automated. We have therefore decided to develop a solution that will simplify the implementation of the requirements of the GDPR. Usually, we implement the GDPR solutions to SugarCRM or SpiceCRM. The solution can also be delivered as a standalone application integrated with existing information systems. If you do not already have a CRM system, you need it because of the processing of the personal data of your customers (contact persons). Contact us and we will help you to implement the GDPR requirements for your business.
You can also read the answers to the frequently asked questions we encounter when consulting our clients. We also prepared an overview of GDPR definitions and an overview of quality resources of information about GDPR.
Is the general regulation on personal data protection too general?
We prepare CRM for GDPR to our clients. We often meet the view that the GDPR requirements are too general and it is difficult to apply specific measures in the enterprise system. However, with a more detailed reading of this regulation, it is possible to find requirements that should be implemented in every enterprise system. For example, the controller must be able to clearly demonstrate whether the personal data are processed lawfully (the data subject has given consent, processing is necessary for the performance of a contract or for compliance with a legal obligation etc.). It is clear, therefore, that such information needs to be stored in a reasonable way so as to be easily findable if necessary. Each personal data must also contain information from which date and to which date are they processed. The controller must be able to prove and justify this information if necessary. After the expiration of the consent or legal title, the personal data must be erased from all locations where they are stored. Other specific measures are based on the right to access, erase and data portability. Therefore, it cannot be argued that GDPR is too general. It is necessary to implement concrete measures, out of which only a few are mentioned.
Is there a simple tool for resolving GDPR requirements?
Simple installation of some tool cannot ensure that your business will work according to the GDPR requirements. GDPR requires a comprehensive review of personal data processing. At first, it is necessary to analyze which personal data are processed, in which way and for which purpose. Personal data may appear e.g. in information systems, excel spreadsheets, emails, and documents. They can also be printed and archived physically. And that’s why GDPR requirements cannot be resolved only by installation of some great tool.
You can imagine a situation where, apart from erasing personal data from the system, you also need to shred the printed document. Such an operation cannot be ensured by the application. However, it may notify the responsible person to shred the document and confirm this opperation after that. We can see that GDPR requirements has an overlap in both automated processes in information systems and processes performed physically by the responsible persons. For this reason, it is not possible to resolve GDRP requirements only by installing some application.
What is the meaning of the basic terms in GDPR?
In detail, all terms are defined in the Article 4 of the General Regulation. The ones we use on our site most often are listed below:
- Personal data – any information relating to an identified or identifiable natural person. It is usually name, surname or birth number, but also location data, IP addresses, photographs etc.
- Processing – any operation which is performed on personal data such as collection, retrieval, consultation, use, erasure etc.
- Data subject – natural person identified or identifiable by the personal data.
- Controller – natural or legal person which processes personal data.
- Processor – a natural or legal person which processes personal data on behalf of the controller.
- Consent – freely given, specific, informed and unambiguous indication of the data subject’s wishes to the processing of personal data relating to him or her.
Where can I find good sources of information about GDPR?
We can recommend in particular the following resources:
- The official text of the General Regulation published in the Official Journal of the European Union L 119;
- The official website dedicated to the reform of EU data protection rules.